Closed gladjohn closed 1 month ago
@Avery-Dunn - this isn't a bug per se, it's more of a question. Can you just get a unit test out to prove that claims + CP are handled correctly for the test case above? The fact that the claims mention access_token
is important.
Adjusted unit tests in https://github.com/AzureAD/microsoft-authentication-library-for-java/pull/811 to confirm this behavior
Library version used
not applicable
Java version
latest
Scenario
Other - please specify
Is this a new or an existing app?
None
Issue description and reproduction steps
We discovered an bug in MSAL .NET on how we merge the claims and capabilities json in CAE scenarios
Incoming claims :
And the merged claims and capab should be like this,
In MSAL .NET, we build claims and capab with
access_token
andxms_cc
, but with the new incoming claim, we fail to do a proper merge, instead just return the incoming claim without the capab.All MSAL's need to check if this is being properly handled. This issue started happening in MSAL .NET when we moved to start using system.text.json and wrote our own merge logic.
Please refer to MSAL .NET PR for the fix
Proposed unit test
Have 3 unit test as follows:
Assert that the request has the "claims" set to
Assert: token comes from cache
Assert: